Lucene search

[email protected]NVD:CVE-2021-22176

HistoryMar 24, 2021 - 5:15 p.m.

CVE-2021-22176

2021-03-2417:15:13

CWE-863

[email protected]

web.nvd.nist.gov

gitlab

access control

project members

merge requests

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

29.6%

JSON

An issue has been discovered in GitLab affecting all versions starting with 3.0.1. Improper access control allows demoted project members to access details on authored merge requests

Affected configurations

Nvd

Node

gitlabgitlabRange3.0.1–13.6.7community

gitlabgitlabRange3.0.1–13.6.7enterprise

gitlabgitlabRange13.7.0–13.7.7community

gitlabgitlabRange13.7.0–13.7.7enterprise

gitlabgitlabRange13.8.0–13.8.4community

gitlabgitlabRange13.8.0–13.8.4enterprise

References

gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22176.json

gitlab.com/gitlab-org/gitlab/-/issues/243491

hackerone.com/reports/962604

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

29.6%

JSON

Related for NVD:CVE-2021-22176

osv2 ubuntucve1 veracode1 prion1 nessus1 cvelist1 debiancve1 cve1